Symantec reported a major dynamic link library (DLL) code vulnerability that affects three of its enterprise security...
products. DLL code vulnerabilities are usually considered to be lesser threats to enterprises. What is the flaw, and why has Symantec labeled it as a severe vulnerability?
A flaw that allows attackers to load malicious DLL files was found by one of Symantec's senior threat analysis engineers in its IT Management Suite 8.0, Ghost Solution Suite 3.1 and Endpoint Virtualization 7.x products. According to Symantec, the affected products don't use an absolute path when loading DLL files during the boot process.
A DLL has code and data that can be used by multiple applications simultaneously. Just like executable files, DLL files can contain code, data and resources, such as images, but they can be used by more than one program at the same time.
There are many benefits to using shared libraries, including modularity, code reuse, reduced disk space and efficient memory usage and load times. However, if an application dynamically loads a DLL without specifying a fully qualified path to its location, it opens up the possibility of a DLL preloading attack when Windows attempts to locate the DLL file by searching a well-defined set of directories. If an attacker can copy a malicious version of the DLL file into one of these directories, the application may load and execute the malicious DLL file instead of the authorized file that it was expecting. This can enable an attacker to execute code while posing as the user who is running the application. When the application is being run as administrator, this could lead to a local elevation of privilege.
Although many experts see this type of malicious DLL vulnerability as low risk, Symantec classified the issue, listed as CVE-2016-6590, as high risk based on the new Common Vulnerability Scoring System's (CVSS) scoring methodology, which is a mathematical approximation of all possible metric combinations ranked in order of severity.
The fact that this vulnerability can lead to code execution is the main reason it scores highly, even though an attacker would first need to successfully trick an authorized user to visit a malicious website or click on a malicious email link to download the malicious DLL.
Microsoft has provided advice for securely loading DLLs for several years, so it's disappointing that Symantec didn't follow this best practice. Symantec has released updates to address the problem.
Learn about the flaws in the LibTIFF library that could lead to remote code execution
Find out how to spot and eradicate obfuscated macro malware
Discover what CVSS version 3.0 means for vulnerability scoring
Dig Deeper on Network Intrusion Prevention (IPS)
Related Q&A from Michael Cobb
An ad network used domain generation algorithms to bypass ad blockers and launch cryptomining malware. Expert Michael Cobb explains how and the best ... Continue Reading
Researchers at Duo Security discovered a SAML vulnerability that enabled attackers to dupe single sign-on systems. Expert Michael Cobb explains how ... Continue Reading
Hackers were able to exploit a Telegram vulnerability to launch cryptomining malware. Expert Michael Cobb explains how they were able to do so and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.